summaryrefslogtreecommitdiff
path: root/grpc/src/core/ext/xds/xds_certificate_provider.h
diff options
context:
space:
mode:
Diffstat (limited to 'grpc/src/core/ext/xds/xds_certificate_provider.h')
-rw-r--r--grpc/src/core/ext/xds/xds_certificate_provider.h129
1 files changed, 84 insertions, 45 deletions
diff --git a/grpc/src/core/ext/xds/xds_certificate_provider.h b/grpc/src/core/ext/xds/xds_certificate_provider.h
index 4d13423a..2f508830 100644
--- a/grpc/src/core/ext/xds/xds_certificate_provider.h
+++ b/grpc/src/core/ext/xds/xds_certificate_provider.h
@@ -31,44 +31,34 @@ namespace grpc_core {
class XdsCertificateProvider : public grpc_tls_certificate_provider {
public:
- XdsCertificateProvider(
- absl::string_view root_cert_name,
- RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor,
- absl::string_view identity_cert_name,
- RefCountedPtr<grpc_tls_certificate_distributor> identity_cert_distributor,
- std::vector<XdsApi::StringMatcher> san_matchers);
-
+ XdsCertificateProvider();
~XdsCertificateProvider() override;
- void UpdateRootCertNameAndDistributor(
- absl::string_view root_cert_name,
- RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor);
- void UpdateIdentityCertNameAndDistributor(
- absl::string_view identity_cert_name,
- RefCountedPtr<grpc_tls_certificate_distributor>
- identity_cert_distributor);
- void UpdateSubjectAlternativeNameMatchers(
- std::vector<XdsApi::StringMatcher> matchers);
-
grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor()
const override {
return distributor_;
}
- bool ProvidesRootCerts() {
- MutexLock lock(&mu_);
- return root_cert_distributor_ != nullptr;
- }
+ bool ProvidesRootCerts(const std::string& cert_name);
+ void UpdateRootCertNameAndDistributor(
+ const std::string& cert_name, absl::string_view root_cert_name,
+ RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor);
- bool ProvidesIdentityCerts() {
- MutexLock lock(&mu_);
- return identity_cert_distributor_ != nullptr;
- }
+ bool ProvidesIdentityCerts(const std::string& cert_name);
+ void UpdateIdentityCertNameAndDistributor(
+ const std::string& cert_name, absl::string_view identity_cert_name,
+ RefCountedPtr<grpc_tls_certificate_distributor>
+ identity_cert_distributor);
- std::vector<XdsApi::StringMatcher> subject_alternative_name_matchers() {
- MutexLock lock(&san_matchers_mu_);
- return san_matchers_;
- }
+ bool GetRequireClientCertificate(const std::string& cert_name);
+ // Updating \a require_client_certificate for a non-existing \a cert_name has
+ // no effect.
+ void UpdateRequireClientCertificate(const std::string& cert_name,
+ bool require_client_certificate);
+
+ std::vector<StringMatcher> GetSanMatchers(const std::string& cluster);
+ void UpdateSubjectAlternativeNameMatchers(
+ const std::string& cluster, std::vector<StringMatcher> matchers);
grpc_arg MakeChannelArg() const;
@@ -76,14 +66,73 @@ class XdsCertificateProvider : public grpc_tls_certificate_provider {
const grpc_channel_args* args);
private:
+ class ClusterCertificateState {
+ public:
+ explicit ClusterCertificateState(
+ XdsCertificateProvider* xds_certificate_provider)
+ : xds_certificate_provider_(xds_certificate_provider) {}
+
+ ~ClusterCertificateState();
+
+ // Returns true if the certs aren't being watched and there are no
+ // distributors configured.
+ bool IsSafeToRemove() const;
+
+ bool ProvidesRootCerts() const { return root_cert_distributor_ != nullptr; }
+ bool ProvidesIdentityCerts() const {
+ return identity_cert_distributor_ != nullptr;
+ }
+
+ void UpdateRootCertNameAndDistributor(
+ const std::string& cert_name, absl::string_view root_cert_name,
+ RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor);
+ void UpdateIdentityCertNameAndDistributor(
+ const std::string& cert_name, absl::string_view identity_cert_name,
+ RefCountedPtr<grpc_tls_certificate_distributor>
+ identity_cert_distributor);
+
+ void UpdateRootCertWatcher(
+ const std::string& cert_name,
+ grpc_tls_certificate_distributor* root_cert_distributor);
+ void UpdateIdentityCertWatcher(
+ const std::string& cert_name,
+ grpc_tls_certificate_distributor* identity_cert_distributor);
+
+ bool require_client_certificate() const {
+ return require_client_certificate_;
+ }
+ void set_require_client_certificate(bool require_client_certificate) {
+ require_client_certificate_ = require_client_certificate;
+ }
+
+ void WatchStatusCallback(const std::string& cert_name,
+ bool root_being_watched,
+ bool identity_being_watched);
+
+ private:
+ XdsCertificateProvider* xds_certificate_provider_;
+ bool watching_root_certs_ = false;
+ bool watching_identity_certs_ = false;
+ std::string root_cert_name_;
+ std::string identity_cert_name_;
+ RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor_;
+ RefCountedPtr<grpc_tls_certificate_distributor> identity_cert_distributor_;
+ grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface*
+ root_cert_watcher_ = nullptr;
+ grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface*
+ identity_cert_watcher_ = nullptr;
+ bool require_client_certificate_ = false;
+ };
+
void WatchStatusCallback(std::string cert_name, bool root_being_watched,
bool identity_being_watched);
- void UpdateRootCertWatcher(
- grpc_tls_certificate_distributor* root_cert_distributor);
- void UpdateIdentityCertWatcher(
- grpc_tls_certificate_distributor* identity_cert_distributor);
+
+ RefCountedPtr<grpc_tls_certificate_distributor> distributor_;
Mutex mu_;
+ std::map<std::string /*cert_name*/, std::unique_ptr<ClusterCertificateState>>
+ certificate_state_map_ ABSL_GUARDED_BY(mu_);
+
// Use a separate mutex for san_matchers_ to avoid deadlocks since
// san_matchers_ needs to be accessed when a handshake is being done and we
// run into a possible deadlock scenario if using the same mutex. The mutex
@@ -93,18 +142,8 @@ class XdsCertificateProvider : public grpc_tls_certificate_provider {
// -> HandshakeManager::Add() -> SecurityHandshaker::DoHandshake() ->
// subject_alternative_names_matchers()
Mutex san_matchers_mu_;
- bool watching_root_certs_ = false;
- bool watching_identity_certs_ = false;
- std::string root_cert_name_;
- std::string identity_cert_name_;
- RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor_;
- RefCountedPtr<grpc_tls_certificate_distributor> identity_cert_distributor_;
- std::vector<XdsApi::StringMatcher> san_matchers_;
- RefCountedPtr<grpc_tls_certificate_distributor> distributor_;
- grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface*
- root_cert_watcher_ = nullptr;
- grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface*
- identity_cert_watcher_ = nullptr;
+ std::map<std::string /*cluster_name*/, std::vector<StringMatcher>>
+ san_matcher_map_ ABSL_GUARDED_BY(san_matchers_mu_);
};
} // namespace grpc_core
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-23 10:42:59 +0000